[wp-hackers] Potential (security) issue with Twenty Ten?

Bjorn Wijers burobjorn at gmail.com
Thu Jan 6 11:26:11 UTC 2011


Not sure if this is the right place to discuss this, so please point me 
in the right direction if this should be discussed somewhere else...

I was looking at Twenty Ten and noticed this piece of code below the 
theme textdomain loading in the functions.php:

91 load_theme_textdomain( 'twentyten', TEMPLATEPATH . '/languages' );
93 $locale = get_locale();
94 $locale_file = TEMPLATEPATH . "/languages/$locale.php";
95 if ( is_readable( $locale_file ) )
96   require_once( $locale_file );


I do not understand why after loading the theme's translations files 
another file ($locale.php) is included. Also the $locale, as far as I 
can see although I haven't dived into it, does not get escaped. Somehow 
this looks kinda funky.

Can somebody explain why this of code is included in Twenty Ten? And why 
this is used after already loading the translations using 
load_theme_textdomain() function.




met vriendelijke groet,
Bjorn Wijers

* b u r o b j o r n .nl *
digitaal vakmanschap | digital craftsmanship

Van maandag t/m donderdag vanaf 10:00
Vrijdag is voor experimenteren en eigen projecten.

Concordiastraat 68-126
3551 EM Utrecht
The Netherlands

tel: +31 6 49 74 78 70

More information about the wp-hackers mailing list